Illinois Data Breach Law

Illinois Data Breach Law — What Every Business Owner Must Know

Any business that processes personal data is probably familiar with the GDPR by now. However, the GDPR is not the only data protection law that businesses must be familiar with. Illinois has its own data protection law called the “Personal Information Protection Act,” 815 ILCS §§ 530/1, et seq. (“Act”), that governs the actions businesses who store personal information must take in the event of a data breach. A violation of the Illinois’ data protection law constitutes a per se unfair practice under the Illinois Consumer Fraud Act, meaning business owners cannot afford to ignore the Act.

Unlike the European Union, the United States has no comprehensive data protection regulatory scheme. Protection of personal information is handled on a state-by-state basis. Each state, however, has its own law requiring notification of individuals affected by a data breach or data leak. These laws are generally known as “breach notification laws.”

Given the potentially serious consequences of a violation, businesses must know whether the Act applies to them and what they must do to ensure compliance.

Who is Subject to the Act?

The Act applies to all “data collectors.”

According to the Act, “data collector[s] may include, but are not limited to:”

  • government agencies,
  • public and private universities,
  • corporations,
  • financial institutions,
  • retail operators, and
  • any other entity that handles, collects, disseminates, or otherwise deals with nonpublic personal information.
What is “Personal Information”?

The Act defines "Personal information" as either (1) an individual's first name or first initial and last name in combination with any one or more “data elements” which include SSNs, driver’s license or state ID numbers, account or credit card number, medical information, health insurance information, and certain biometric data or (2) a username or email address in combination with a password or security question and answer. As is common among breach notification statutes, information is only considered “personal information” if it is unredacted/unencrypted or if the keys to unredact/unencrypt the information are lost in the data breach as well. Additionally, information publicly available from government records is not considered “personal information” under the Act.

What Must Businesses do to Comply with the Act?

The Act requires data collectors to “implement and maintain reasonable security measures to protect [records containing personal information] from unauthorized access, acquisition, destruction, use, modification, or disclosure.”

In the event of a data breach involving the personal information of Illinois residents, the Act requires the data collector to “notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach.”

Notice of the breach must “be made in the most expedient time possible and without unreasonable delay.” Notice can be written or electronic (so long as the notice meets federal laws concerning electronic writings and signatures). If more than 500,000 people are affected or the data collector can demonstrate that the cost of notice would exceed $250,000 or that it lacks sufficient information to provide notice, notice may be given by alternative means including by e-mail, conspicuous posting on the data collector’s website, or notification to major statewide media.

What are the Consequences of a Violation?

The costs of violating the Act can be substantial. A violation of the Act constitutes a per se unlawful practice under the Illinois Consumer Fraud Act. The Attorney General may bring an action for injunctive relief, restitution, and civil penalties against the data collector. The data collector may also find itself the defendant in a class action lawsuit brought on behalf of affected individuals. In such suits, the plaintiffs may recover any actual damages as well as costs and attorney’s fees. This can add up to millions of dollars.

The best way to avoid liability is to prevent data breaches in the first place. If you do find yourself in the unfortunate position of having violated the Act, the next best thing is to retain an experienced class-action defense and consumer fraud defense attorney. Super Lawyers named Chicago and Oak Brook business trial attorney Peter Lubin a Super Lawyer in the Categories of Class Action, Business Litigation, and Consumer Rights Litigation and Chicago slander attorney Patrick Austermuehle a Rising Star. Lubin Austermuehle’s Oak Brook and Chicago business trial lawyers have over thirty years of experience in litigating complex class action, consumer rights, and business and commercial litigation disputes. We handle emergency business lawsuits involving injunctions and TROs, defamation, libel, and covenant not to compete, franchise, distributor and dealer wrongful termination and trade secret lawsuits and many different kinds of business disputes involving shareholders, partnerships, closely held businesses and employee breaches of fiduciary duty. We also assist businesses and business owners who are victims of fraud or defamatory attacks on their business and reputations.

Our Schaumburg and Evanston consumer and business dispute attorneys provide assistance in data breach, privacy violation, fair debt collection, consumer fraud, and consumer rights cases including in Illinois and throughout the country. You can click here to see a description of the some of the many individual and class-action consumer cases our Chicago consumer and business dispute lawyers have handled. We also assist Chicago and Oak Brook area businesses and business owners who are victims of data breaches. You can contact us by calling 630-333-0333. You can also contact us online here.

Client Reviews
"I was referred to Peter Lubin from someone in the car business to handle a law suit. From the moment I made the appointment Peter and his staff were outstanding. This wasn't an easy case, most lawyers had turned me down. However, Peter took the time to meet with me and review everything. He took on the case, and constantly communicated with me about updates and case information. We beat this non-compete agreement case in record time. I would use him again and recommend him to my closest family and friends. 5 stars is not enough to thank him for his service." Sebastian R.
"I worked on two occasions with Peter Lubin and his staff. They took their time with me and discussed each and every item in detail. The group makes you feel like you are part of the family and not just another hourly charge. I recommend Peter to anyone who asks me for a referral. If you are looking for a top notch attorney at a reasonable rate, look no further than Lubin Austermuehle." Kurt A.
"Excellent law firm. My case was a complicated arbitration dispute from another state. Was handled with utmost professionalism and decency. Mr. Peter Lubin was able to successfully resolve the case on my behalf and got me a very favorable settlement. Would recommend to anyone looking for a serious law firm. Great staff and great lawyers!" Albey L.
"I have known Peter Lubin for over 30 years. He has represented me on occasion with sound legal advice. He is a shrewd and tough negotiator leading to positive outcomes and averting prolonged legal hassles in court. He comes from a family with a legal pedigree and deep roots in Chicago's top legal community. You want him on your case. You need him on your opponents case. He won't stop fighting until he wins." Christopher G.
"Peter and his team helped us with an auto fraud case. They communicated well (timely and very responsive), investigated deeply, and negotiated a very good settlement. We were able to resolve our significant issue without a large burden and in a manner that allowed for us to come out ahead. I'd recommend Peter and his team strongly!" R.J. Callahan
"Peter was really nice and helpful when I came to him with an initial question about a non-compete. Would definitely reach out again, recommended to everyone." Johannes B.